The Green Sheet Online Edition

March 12, 2018 • Issue 18:03:01

Foiling fraud in online gaming

By Don Bush
Kount Inc.

Online gaming has risen in popularity over the last few years. Revenue clocked in at $108.9 billion in 2017, and the compound annual growth rate was 6.2 percent, according to market intelligence company Newzoo. With this, however, come criminals attempting to leverage the high-growth space for illegal gain.

Fraudsters infiltrate the online gaming world in many ways, including:

Small-ticket orders and card testing: Transactions for online game companies are typically low in value and often take place within game play. Also, these orders must be approved or declined in real-time to avoid interrupting the game's flow. That presents a different set of challenges compared to physical goods merchants who can take time to manually review big-ticket transactions before shipping products. The nominal amounts typically involved in online game transactions make these sites prime targets for card testing.

Account takeover and synthetic IDs: A significant percentage of fraudsters are also gamers. For them, fraud is an economic activity, as well as a form of competition. Once hackers find a successful fraud technique or tactic on one site, they use that knowledge at other sites. Games featuring game currency or points within game play are the prime targets for account takeover activity.

Spoof sites: Spoof sites are closely linked with account takeover fraud, providing stolen user data that fuels account takeovers. Fraudulent spoof sites with cascading style sheet code stolen from legitimate game sites can look exactly like the sites they're spoofing. Typically, the URL for a spoof site is only one letter different from the actual site, for example, www.online-gamet-net.com versus www.online-gamer-net.com. When unsuspecting players mistype the web address, they arrive at what looks like their intended destination. Their login credentials get collected and are used to steal their account on the actual site.

Bots: Fraudsters will refer "new players" that are actually bots using synthetic IDs and stolen credit card accounts. With each referral, a fraudster earns a reward to either turn directly into cash or boost the value of the account so it can be sold on the Dark Web. One fraudster using this technique can generate hundreds of referrals with minimal work. An entire, coordinated criminal gang deploying multiple bots can dramatically accelerate the damage.

Fighting fraud does more than combat financial losses; it helps keep game playing legitimate so customers will return. Players who experience bots or fraudulent accounts won't want to come back and continue to lose. So what can businesses do to protect themselves and their loyal customers? First, they should use a fraud prevention system that employs artificial intelligence (AI) and balanced machine learning, along with multiple screening technologies and transaction data. A comprehensive system should be able to collect and analyze hundreds of discrete data points associated with every transaction.

Fraud fighting practices to incorporate include:

Advanced AI and machine learning: AI and machine learning technology have virtually unlimited computing and memory capacity that enable them to spot patterns in big data undetectable to humans and predict emerging fraud threats in low-information scenarios, such as first-time fraud. However, it's important to note that AI and machine learning by themselves are not as powerful or precise as when they are complemented by a rules-based system for maximum control and transparency.

Biometrics: Behavioral biometric technology can verify and confirm users' identities by monitoring how they naturally interact with their devices ‒ through mouse movements, keystroke dynamics and other behaviors ‒ delivering instant identity verification.

Multiple, advanced screening: A single tool can be easily defeated. It's essential to employ multiple technologies that screen multiple dimensions of every transaction and analyze massive amounts of data.

Account registration: Information required for account registration increases the amount of data available to be analyzed for risk assessment and slows down fraudsters (without overburdening legitimate players), causing fraudsters to move on to easier targets.

Multiple stages: Put checks in place throughout the buying path ‒ during account registration, before authorization, at authorization and post-authorization to provide more opportunities to identify fraudsters.

Chargeback alerts: Electronic notification from chargeback alert services warn you immediately whenever a TC-40 (fraud) claim is issued, allowing businesses to take remedial steps, including suspending the account and/or notifying the actual user, issuing a refund and avoiding chargeback fees and fines, and using data to identify other fraud instances perpetrated by the attacker.

All payment types: Fraud prevention shouldn't be limited by the payment, processor or transaction types it can assess. Whether processing credit and debit cards, payment services like PayPal, international payment providers or cryptocurrencies like bitcoin, your ability to assess and quantify fraud danger should never be compromised.

Device and channel neutrality: Whether an order originates on desktop, mobile, phone or fax, the same multilayered approach and multiple screening technologies should be applied ‒ while still providing customization that facilitates optimized results based on the unique attributes of that channel.

Real-time data orchestration: For online games and gaming, reduced data available within a transaction (for example, lack of delivery/ship-to address) can result in insufficient information to precisely quantify risk. Accessing third-party data sources in real time can provide crucial context, helping to correctly evaluate borderline transactions.

Experienced human intelligence: Systems developed and tuned by fraud industry experts have an inherent advantage against adaptable human adversaries.

Don Bush joined Kount as Director of Marketing in October 2010 and became Vice President of Marketing in December 2012. Previously, he was Director of Marketing at CradlePoint, a leading manufacturer of wireless routing solutions in the mobile broadband industry. Don has worked in several management roles within the technology segment for over 20 years with both hardware/software manufacturers and as a partner in two top technology marketing agencies. Contact him at don.bush@kount.com or visit www.kount.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.